Skip to content

Commit f3c73a0

Browse files
Volker-Weissmannben
Volker-Weissmann
and
ben
authored
Update book/04-git-server/sections/protocols.asc
Co-authored-by: Ben Straub <[email protected]>
1 parent d8f8809 commit f3c73a0

File tree

1 file changed

+6
-3
lines changed

1 file changed

+6
-3
lines changed

book/04-git-server/sections/protocols.asc

+6-3
Original file line numberDiff line numberDiff line change
@@ -196,9 +196,12 @@ It uses the same data-transfer mechanism as the SSH protocol but without the enc
196196

197197
===== The Cons
198198

199-
Due to the lack of TLS or other cryptography, cloning over git:// might lead to an arbitrary code execution vulnerability and should therefore be avoided unless you know what you are doing:
200-
If you run `git clone git://example.com/project.git` an attacker who controls e.g your router can modify the repo you just cloned, inserting malicious code into it. If you then compile/run the code you just cloned, you will execute the malicious code.
201-
Running `git clone http://example.com/project.git` should be avoided for the same reason. Running `git clone https://example.com/project.git` does not suffer from the same problem (unless the attacker can provide a TLS certificate for example.com). Running `git clone [email protected]:project.git` only suffers from this problem if you accept a wrong ssh key fingerprint.
199+
Due to the lack of TLS or other cryptography, cloning over `git://` might lead to an arbitrary code execution vulnerability, and should therefore be avoided unless you know what you are doing.
200+
201+
* If you run `git clone git://example.com/project.git`, an attacker who controls e.g your router can modify the repo you just cloned, inserting malicious code into it. If you then compile/run the code you just cloned, you will execute the malicious code.
202+
Running `git clone http://example.com/project.git` should be avoided for the same reason.
203+
* Running `git clone https://example.com/project.git` does not suffer from the same problem (unless the attacker can provide a TLS certificate for example.com).
204+
Running `git clone [email protected]:project.git` only suffers from this problem if you accept a wrong ssh key fingerprint.
202205

203206
It also has no authentication, i.e. anyone can clone the repo (although this is often exactly what you want).
204207
It's also probably the most difficult protocol to set up.

0 commit comments

Comments
 (0)